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Abstract. We consider the problem of finding cryptographically suitable Ja- 
cobians. By applying a probabilistic generic algorithm to compute the zeta 
functions of low genus curves drawn from an arbitrary family, we can search 
for Jacobians containing a large subgroup of prime order. For a suitable distri- 
bution of curves, the complexity is subexponential in genus 2, and 0{N^^^'^) 
in genus 3. We give examples of genus 2 and genus 3 hyperelliptic curves over 
prime fields with group orders over 180 bits in size, improving previous results. 
Our approach is particularly effective over low-degree extension fields, where 
in genus 2 we find Jacobians over Fp2 and trace zero varieties over F^a with 
near-prime orders up to 372 bits in size. For p = 2^^ — 1, the average time to 
find a group with 244-bit near-prime order is under an hour on a PC. 



1. Introduction 

Algebraic curves over finite fields have proven to be a fertile source of groups 
for cryptographic applications based on the discrete logarithm problem. This has 
spurred the development of highly efficient algorithms for group computation that 
are now available for many types of curves, including hyperelliptic, superelliptic, 
Picard, and Cab curves [2l[l[lll[20l[26l[3l[37l[66]. The group of interest consists 
of the Fq-rational points on the Jacobian variety of a curve C, or, equivalently, the 
divisor class group of degree 0, Pic''(C). We denote this group J{C/¥q), or simply 
J{C), and call it the Jacobian of C. 

For cryptographic use one typically seeks Jacobians with near-prime orders in 
the range 2^^° to 2^^^, and we also consider subgroups of Jacobians that offer 
comparable (perhaps superior) performance and security parameters, such as trace 
zero varieties [11] [2TJ [36] . The existence of various index calculus algorithms has 
centered attention on hyperelliptic curves of genus g < 3 [HI [HI [24] . We similarly 
focus on the hyperelliptic case, although our results may be applied to any family 
of low genus curves. 

To assess the cryptographic suitability of a group, it is necessary to know its 
order. For curves of genus 1 (elliptic curves), several effective point-counting al- 
gorithms are available. The most general are £-adic methods, based on Schoof's 
algorithm [51] [55] , and for small characteristic fields there are more efficient p-adic 
methods [3TJ [321 1131 [IS]- The p-adic methods, particularly Kedlaya's algorithm 
[31j . readily extend to higher genus curves, and have proven effective over small 
and medium characteristic fields [28l [62] ■ Generalization of the £-adic methods has 
been more difficult. The best results for genus 2 curves over prime fields report 
roughly a week to compute the order of a group of size w 2^^^ [27]. In genus 3, 
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no effective ^-adic metfiods are available, however, recent work on extending p-adic 
methods to larger characteristic fields has enabled computation of group orders up 
to size w 2^^° over prime fields [51[3n]- In both cases the algorithms are memory 
intensive, limiting their applicability to larger groups. There are other methods for 
curves with special properties [22l [64l [65] , but for general curves of genus .g > 1 
over large characteristic fields, efficiently finding cryptographically suitable Jaco- 
bians remains an open problem fTTJ [38] |j 

The solution we propose is probabilistic. As a point-counting algorithm, it usu- 
ally fails. However, given a suitably diverse family of curves, it succeeds often 
enough to be effective as a search algorithm, with (heuristically) sub-exponential 
performance. One can then search for curves with a desired property, such as 
cryptographic suitability. 



2. Overview 

We apply neither £-adic nor p-adic methods, relying instead on generic algo- 
rithms. These perform group computations in a representation-independent man- 
ner, needing only a "black box" to implement the group law. As a result of the 
work cited above, we have many highly efficient black boxes at our disposal. 

The Q{^/N) complexity of birthday-paradox algorithms, such as Pollard's rho 
method |48] and Shanks' baby-steps giant-steps algorithm [53], makes them too slow 
to effectively compute the order of a large group, even when fairly tight bounds on 
the order are known (as in [56]). Alternatively, one may apply a generic version of 
Pollard's p — I technique |47j . exponentiating by many small primes. This can be 
quite effective if the group order happens to be smooth (no large prime factors), 
but the worst case complexity is &{N). 

Surprisingly, a combination of these two generic approaches is faster than either 
alone. The author's thesis [57] presents a o{-</N) algorithm to compute the order of 
an element in any finite group. For a family of abelian groups with orders uniformly 
distributed over a large interval, the average running time is 0(v^ /logiV). This 
average is dominated by a o(l) fraction of worst cases (groups of prime order). The 
median complexity is 0{N^'^'^^), and when the group order is highly composite, the 
algorithm is very fast. By applying a bounded amount of computation to each group 
in a family, we can hope to find one whose order is easily computed. This approach 
is similar to some algorithms for integer factorization [39l [50] , and has been success- 
fully applied to compute ideal class groups of imaginary quadratic number fields 
with 100-digit discriminants. For a suitable distribution of group orders, the com- 
plexity is subexponential: L(l/2,v^) = 0(exp[(\/2 -f o(l)) (logTVloglog Af)i/2j ^_ 

The ability to quickly find a group with highly composite order would seem 
little use in the search for cryptographically suitable groups, as this is precisely the 
opposite of what is desired. However, the order of one Jacobian may be used to 
compute the orders of several others. For low genus curves, given #J(C), we can 
readily recover the zeta function of C p.ip via the L-polynomial P{z) that appears 
in its numerator. This process is trivial in genus 1, almost trivial in genus 2, and 
in genus 3 we give a generic algorithm requiring 0{N^/^^) group operations|3 



^There is a polynomial-time £-adic algorithm due to Pila for arbitrary abelian varieties [46) . 
but it is not practical for groups of cryptographic size. 

^This is asymptotically exponential, but negligible for the size groups we consider. 
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With P{z) in hand, we can compute the order of Jd{C) — J{C/¥qd) for any 
degree d extension field (Lemma [T]). When b divides a, the abehan group Jb{C) is 
a subgroup of Ja{C), and we consider groups of the form 

(2.1) J,/,{C) = Ja{C)/MC). 

When C is hypereUiptic, J2/i{C) is isomorphic to J{C), where C is the quadratic 
twist of the curve C over (LemmalSj. In general, Ja/b need not correspond to the 
Jacobian of a curve, however, we can compute in Ja/b(C) using the group operation 
of Ja(C). The group Ja/iiC) corresponds to a trace zero variety (Lemma [2]). As 
noted by Lange, computation in the trace zero variety is typically more efficient 
than computation in a Jacobian of comparable size and genus, due to optimizations 
enabled by the Frobenius endomorphism [36j . 

The shape of the integer #Ja/6(C') is not particularly correlated with #J(C), 
and it is possible that the former may be near prime while the latter is quite 
smooth (Table [2]) ■ We should remark that this situation is not believed to diminish 
the security of the group Ja/b{C)- Indeed, most of the clhptic curves in the NIST 
Digital Signature Standard [^, and nearly all the Certicom challenge curves [12], 
have relatively insecure quadratic twistsU 

When considering the cryptographic use of Jacobians over extension fields, one 
must take into account the existence of transfers (cover attacks) which may reduce 
their effective security (Proposition [T]). For hypereUiptic curves in genus 3 this 
essentially limits us to J2/i{C) = J{C) over a prime field. For genus 2 curves, 
however, there are four groups with potentially competitive performance/security 
ratios when q is prime: 

(2.2) J2/i(C)- J(C'), J3/l(C), J3/l(C), Ji/2{C) = J{C2). 

Here C is the quadratic twist of C in and C2 is the quadratic twist in ¥^2 . The 
group J{C) has size « q^^ while the last three groups are each of size « q"'. 

To give a brief example, we used this approach on a family of 10^ random curves 
over Fp, with p = 2^^ — 1 implying ^J{C) « 2^^^. For suitably chosen parameters, a 
single PC (2.5 GHz AMD Athlon-64) test about two curves per second, successfully 
computing # J(C) for some curve in the family every four or five minutes on average. 
We computed the zeta functions of some 2000 curves, finding 220 groups with 
244-bit near-prime orders (cofactor < 5% of the bits), including many of prime 
order. For cryptographic use, most of these groups should be compared to genus 2 
Jacobians over a prime field with a group size of 180 to 200 bits (Proposition [T]). 
Depending on the implementation, they may offer superior performance. 

More detailed examples are provided in Section [51 including results for much 
larger groups. We have successfully applied this approach over prime fields with 
# J(C) up to 186 bits in genus 2, and 183 bits in genus 3, improving previous bests 
of 164 bits (Gaudry and Schost [27]) and 150 bits (Harvey [30]). We note, however, 
that while our method computes zeta functions of curves drawn from an arbitrary 
family, it will likely fail on any particular curve and should be distinguished from 
point-counting algorithms. The new algorithm is faster, less memory intensive, and 
well suited to distributed implementation. 



■^In particular, the order of the twist of the Certicom curve ECCp-163 contains no prime factors 
larger than 2^®. Discrete logarithms in the twist can be computed in well under an hour on a 
typical PC, yet the US$30,000 cash prize remains unclaimed after nearly a decade. 
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3. Mathematical Background 

For a projective curve C defined over Fq, let Nk count the points on C in P(Fgfc). 
The zeta function of C is the formal power series 

(3.1) Z{CI¥,, z) = exp 1^^^ iVfczVfc^ . 

Our interest in the zeta function stems from the well-known theorem of Weil [63j , 
which we restrict here to projective curves defined over F^. Henceforth we assume 
all curves are non-singular and irreducible over the algebraic closure Fg. 

Theorem 1 (Weil). Let C be a genus g curve defined over ¥q. 

(1) Z{C/¥q,z) = P{z)/ [(1- z){l - qz)], where P{z) ^Y.T=Qa,iz' has integer 
coefficients satisfying Oq = 1 and a2g-i = q^^^ai, for < i < g. 

(2) P{z) = n?f i(l - a,z), with - ^9- 



(3) Nk = q'^ + l-EZi 



a- 



A proof can be found in chapters 8 and 10 of [40j. We call P{z) the L-polynomial 
of the curve C . From (2) we obtain the bounds 

(3.2) |a.|< P^^g'/^. 



Let J(C/Fqfc) denote the group of F^t -rational points on the Jacobian variety of C. 
We write Jfe(C) for J(C/Fgfc), and J{C) for J(C/Fg), when F, is understood. 

Lemma 1. Let C and P{z) be as in Theorem\^ Then 

k 

#A{C)^XlP{u:'% 

i=l 

where lo = e^'^*/'^ is a principal kth root of unity. 

See 40, 8.5.12 and 8.6.2-3] for a proof. In particular, #J(C) = P(l), and 
applying (2) of Theorem 1 gives the Weil interval: 

(3.3) (^/^-l)'^<#J(C)<(V9 + l)'^. 

The Frobcnius automorphism a ^ a'' of the finite field ¥q gives rise to a group 
endomorphism on Jk{C), which we denote (j)q. The elements of Jk{C) fixed by 
(j)q are precisely the subgroup J(C). When d divides k, we define J^/d to be the 
image oi (pq — 1 on Jk, where 1 denotes the identity map. Thus Jk/d is a subgroup 
of Jk{C) isomorphic to Jk{C)/ Jd{C). We define the trace zero variety of Jk{C), 
denoted Tk{C), to be the kernel of the group endomorphism 

(j>'q-' + 4>\-^ + • • • + 1. 

Lemma 2. Let C be a curve defined over ¥q. Then Jfc/i(C) C Tk{C). Equality 
holds when J{C) is k-torsion free. 

Proof. To show inclusion, we factor (/)^ — 1 in the endomorphism ring of Jk{C): 

Jk[C) = ker(0q. - 1) = kcr(<^^ - 1) = ker [(0q - l){<j>\'^ + • ■ • + 1)] . 
The image of 0q — 1 lies in the kernel of (j)^^^ + • ■ ■ + 1, hence Jfc/i(C) C Tk{C). 
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When J(C) is fc-torsion free, J(C) n Tk{C) is trivial and 

implying equality. □ 

If ¥q is a finite field of odd characteristic, we may define a hyperelliptic curve of 
genus g as a, projective plane curve C with affine part given by 

where f(x) € Vq[x] has non-zero discriminant and degree d = 2g + 1 or 2g + 20 If 
a € Fg is a not a quadratic residue, the quadratic twist of C in Fg, denoted C, has 
affine part ay^ = f{x), more conveniently expressed as 

Any choice of non-residue in Fq yields a curve isomorphic to C. 

Lemma 3. Let C be a hyperelliptic curve with L-polynomial P{z). 

(1) P{-z) is the L-polynomial of C ; (2) J2/i(C) = J{C). 

Proof. Let Nk count the points on C in P(Fgfc ) . For k even, Nk — Nk , and for k 
odd, Nk+ Nk = 2(g'= + 1). Applying (3) and (2) of Theorem [T] proves (1), and 
Lemma ID implies that #J2(C) = P(I)P(-1) = 4J{C)#J{C). The curves C and 
C are isomorphic over Fg2, thus we may regard J{C) as a subgroup of J2(C) that 
intersects J(C) trivially. J2{C) is then the (internal) product of the subgroups 
J(C) and J{C), hence J2/i(C) J2{C)/J{C) = J{C). □ 

Finally, we note results that impact the effective security of hyperelliptic curves 
[HIISlllllSlIlSKMllSnilSI]- Taking a pessimistic view, we list the strongest 
potential attacks known at the time of writing. 

Proposition 1. Let C be a hyperelliptic curve of genus g over Fg = F^n . 

(1) Discrete logarithms in J{C) can be computed in time 0(p^"'^/(2"9+i))_ j25j 

(2) // J(C) is cyclic and g > 3 discrete logarithms in J{C) can be computed in 
time 0((7^^^/^). Heuristically, J{C) need not be cyclic. 24J 

(3) If C is a genus 2 curve, the discrete logarithm problem in the trace zero 
variety T'i{C) may be transferred to the Jacobian of genus 6 curve overVq. 
If jj=J2{C) is divisible by 3, the genus may be 5. [16j 

Additionally, the explicit isogenics attack of [54| on genus 3 hyperelliptic curves 
can (and should) be avoided by ensuring f{x) has exactly one irreducible factor of 
degree 3, 5, or 7 over ¥q. In light of (1), we consider the security of a genus 3 curve 
C over Fp comparable to that of a genus 2 curve C over Fp/ wher0 

lg#J(C'/Fp)/lg#J(C7FpO - 9/8 

(note p and p' are different primes), and if C is a genus 2 curve over Fp2 we require 
a ratio of 14/9. Considering (2) and (3), for the trace zero variety T(C/Fp3), the 
comparable ratio is 5/4 when 3 divides #J(C/Fp2) and 6/5 otherwise. 

See and [35] for further background on hyperelliptic curve cryptography. 



The black boxes we use assume / is monic and d = 2g + 1 but our results do not require this. 
'^We use "Ig" to denote binary logarithms and "log" for the natural logarithm (the distinction 
is immaterial here and in big-O notation, but may be relevant elsewhere). 



6 



ANDREW V. SUTHERLAND 



4. Algorithms 

To compute ^J{C), we apply a probabilistic generic algorithm that computes the 
order (and structure) of an arbitrary finite abelian group G. We give an overview of 
the general algorithm presented in [57], focusing on the components most relevant 
to searching a family of Jacobians. 

By convention, we use multiplicative notation for generic groups and let 1^ 
denote the group identity. For a € G, we let \a\ denote the order of a, the least 
positive integer n for which a" = 1^, and call any multiple of jaj an exponent of 
a. The order of G is denoted |G|, and X{G) is the exponent of G, the least positive 
integer which is an exponent of every element in G. Complexity metrics for generic 
algorithms count group operations (time) and group elements (space). 

We assume the availability of a black box that uniquely identifies group elements, 
a requirement easily met by Jacobian arithmetic based on a Cantor-Mumford repre- 
sentation We also require access to randomly generated group elements, which 
may be obtained via the methods detailed in [TTl 14.1-2]. We presuppose a uniform 
distribution, however this assumption can typically be relaxed in practice]! 

Central to our method for obtaining subexponential performance is the notion of 
a conditional algorithm. Such an algorithm is given the option to explicitly reject 
inputs that fail to satisfy a specified condition, but must otherwise behave correctly. 

The condition we use here is based on the fact that for any group element a, 

(4 1) la^U ^ . 

^ ^ ' ' gcd(|a|,i?) 

This may be used to reduce the size of \a^\ relative to \a\, making it easier to 
compute. This motivates the following definition. 

Definition 1. Let E = Y[q where q ranges over maximal prime-powers bounded 
by B. A positive integer N for which N/ gcd{N,E) < is called B-easy, and 
otherwise, B-hard. 

A i?-easy integer is semismooth with respect to B^ and B (prime factors bounded 
by B^ and all but one by B). The converse holds if we apply the semismooth criteria 
to prime-power factors. 

Proposition 2. For any B > there is a probabilistic generic algorithm A such 
that the following hold for all finite abelian groups G: 

(1) If A rejects, then \G\ is B-hard; otherwise, with high probability, 
A outputs X{G), the structure of G, and \G\. 

(2) The expected number of group operations is 0{B) + 0(lg |G|). 

We say A computes |G| on the condition that |G| is i?-easy. The probability and 
expectation in Proposition [2] do not depend on G. By the structure of G, we mean 
an explicit factorization of G into cyclic subgroups of known order with a generator 
for each factor. The structure of G is computed using A(G), to obtain |G|. 

When tight bounds on |G| are known, as in the case of Jacobians, the fact that 
A(G) divides |G| may suffice to determine |G|, and the structure of G is not needed. 
The time to compute |G| is typically dominated by the time to compute A(G) in 
any event; computing the group structure at worst increases the constant factors. 



For small groups, the simplest approach in TT may not generate the entire Jacobian. De- 
compression techniques ensure a uniform distribution (at slightly greater cost). 
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li B > |G|^/^ then \G\ is certainly S-easy. By starting with a small value of B 
and increasing it in stages, one obtains an 0{N^/^) algorithm for computing the 
structure of any finite abelian group. When \G\ is a random integer, the median 
complexity is 0{N'^'^'^^). This approach can be much faster than other generic 
algorithms for computing abelian group structure [SI [71 [551 [52] • 

To search for Jacobians, we estimate \G\ « 2" based on the Weil interval (|3.3p . 
then pick a fixed B — 2"/" that minimizes B/a{u), where cr{u) estimates the 
probability that a random integer x is a;^/"-easy. Asymptotically, we may use 
(j(u) = G(1/m, 2/u), where G(s,t) is the semismooth probability function defined 
by Bach and Peralta in [1] (the impact of prime-power factors is negligible). This 
yields an L(l/2,\/2/2) bound on both l/a{u) and B, leading to an L(1/2,V2) 
bound on the entire search, based on the heuristic assumption that \G\ has the 
distribution of a random integer of comparable sizeQ 

It remains to prove Proposition [21 We assume henceforth that B > Ig^ \G\. 

Algorithm 1 (Group Order). Given a finite abelian group G and a bound B, on 
the condition that \G\ is B-easy: 

1. Compute A(G) on the condition that A(G) is B-easy. 

2. For each prime p\X{G), compute the structure of Hp, the p-Sylow subgroup 
of G, on the condition that \Hp\ < B^. (If |G| is found i?-hard, reject). 

Output A(G), the structure of G, and \G\. 

The algorithm for Step 2 is described in detail in [571 Algorithm 9.1]. Compu- 
tation in Hp is accomplished via the black box for G, exponentiating by \{G)/p^ 
to obtain random elements of Hp (here p^ is the largest power of p dividing A(G)). 
Computing the structure of Hp uses 0{yJ\Hp\) group operations [571, Proposition 
9.3]. The condition \Hp\ < B^ gives a complexity of 0{B Ig |G|) (entirely acceptable 
in practice), however to prove Proposition [2l we reject whenever |G| is i3-hard, as- 
suring an 0{B) bound. As noted above. Step 2 need not be implemented to search 
for large Jacobians. 

We now present the algorithm to compute A(G), using two generic subroutines 
that compute the order of a group element. 

Algorithm 2 (Group Exponent). Given a finite abelian group G, a bound B, and 
a constant c, let E — Y\ q, where q < B ranges over prime powers, and set <— 1. 
On the condition that A(G) is B-easy: 

1. For a random a G, set a <— , then compute /3 <— . 

2. Compute A^' = |/3| on the condition that < B^. 

3. Compute A^" = |a^'| with exponent E. Set A^ ^ NN'N" and t ^ 1. 

4. For a random a E G, attempt to compute A' — \a^\ with exponent E. 
If a reject occurs, goto Step 1. 

5. Set A^ ^ A^A^' and increment t. Ut<c then goto Step 4. 
Output A(G) = A^. 



■^One uses (y{u) > p(u) = u where p{u) is the Dickman function [T1 [SI [T3]. 
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The order computation in Step 2 is a bounded search for \f3\ < B^, which may be 
performed by a standard birthday-paradox algorithm or by Algorithm |4] below. The 
order computations in Steps 3 and 4 use Algorithm [31 In Step 3, i? is necessarily an 
exponent of , since ^ = = 1g- Step 4, E might not be an exponent 
of , causing Algorithm 3 to reject. We now show this rarely happens. 

If Step 2 rejects, then \a\ is i?-hard and so is A(G). Otherwise, we claim that 
the integer A(G')/|q!| is i?-powersmooth, with probability greater than 1 — 1/B. For 
a uniformly random a E G and a prime power dividing A(G), we find that 

1 



(4.2) Pr 



' h,- KG) 
p divides -p-p 



- ph- 



by considering a factorization of G into cyclic subgroups of prime-power order. If 
A(G')/|a| is not i?-powcrsmooth, it must be divisible by a prime power greater than 
B, and our claim is proven by ()4.2p . It follows that the expected complexity is 
0{B) group operations, assuming an 0{B) bound on each step. 

The output value N is the least common multiple of the orders of c random 
group elements-necessarily a divisor of A(G). One can apply to obtain 

(4.3) Pr[7V^A(G)] <1-^, 

as shown in [S71 Proposition 8.3]. 

From the prime number theorem we find IgE ^ {B/logB)lgB = B/\og2, 
hence Step 1 can be accomplished with standard exponentiation techniques using 
B/ log 2 -|- o{B) group operations. Step 2 can be performed by either of the generic 
birthday-paradox algorithms using an expected 0{B) group operations. We give a 
more efficient method (Algorithm |4|), but it is not needed for Proposition [2] 

To complete the demonstration of the proposition, we need only show how to 
compute |q;| with an exponent E, using 0{lgE) group operations. 

Algorithm 3 (Linear Order). Given an integer E — qiq2 ■ ■ ■ Qw factored into prime 
powers and a G G, let ao = a. On the condition that = 1^-' 

(1) For i = 1 to w, compute ^ ctf-i until ai = Iq. 

If this fails to occur then reject, otherwise set N ^ |ai_i|. 

(2) Do a binary search for the least j E [Q,i] for which aj^ — Iq- 
If j > then set i ^ j - 1, N ^ and repeat Step 2. 

Output \a\ = N. 

The correctness of the algorithm follows from the invariant — \ai\. Each of 
the assignments to N involves a prime-power order computation accomplished via 
repeated exponentiation. The cost of Step 1 is at most m + o(m) group operations, 
where m — IgE. The cost of Step 2 may be bounded by 0((7i^/ Ign) Igm) , where 
n = lg|a| < lg|G|. For m > n^, the total complexity is 0(m) — 0{\gE). For 
TO ^ it is at most to + o(to), possibly much lessH 

This completes our demonstration of Proposition O 

Proposition 3. Algorithm A of Proposition\^ can be implemented using storage 
for 0(lg^ |G|) group elements. 



°In Step 4 of Algorithm 4, |a| quickly becomes very smooth. 



A GENERIC APPROACH TO SEARCHING FOR JACOBIANS 



9 



Proof sketch. Pollard's rho method can be used in Step 2 of Algoritlim[T]and in Step 
2 of Algorithm [21 using storage for 0(log \G\) group elements. This also suffices for 
all exponentiations (E need not be explicitly computed). As written, Algorithm [3] 
stores 0{w) = 0{B/ logB) group elements. When B/ \ogB > Ig^ \G\, the space can 
be made 0(lg^ \G\) by saving only this many values of a^, recomputing as required, 
with a negligible impact on time (see [57j Proposition 7.1] for details). □ 

When searching for B-easy groups, it is typically not necessary to constrain 
space to this extent. The chosen bound B is L(l/2, \/2/2) in terms of = \G\ 
(unconditionally), and the space will be 0{B) (or better) even if a rho search is not 
used. The algorithm described below is significantly faster than a rho search, and 
in practice the space requirements are moderate (see Section 

A Parallel Primorial-Steps Algorithm. The primorial-steps algorithm [57] 
computes the order of an element in a generic group. It is asymptotically faster 
than the standard Q{\/N) birthday-paradox algorithms, with an improvement of 
Q{\/log log A^). In practice the gain is a factor of two or three in both time and 
space over a standard baby-steps giant-steps implementation. We present a parallel 
version of the algorithm, designed for black boxes that can perform parallel group 
operations more quickly (typically by combining inversions in an underlying field). 

A parallel algorithm is well suited to a multi- processor environment, but our 
primary motivation here is to speed up the group operation in a single thread of 
execution. The resulting algorithm remains generic. The performance improvement 
depends on the black box, but can be substantial (see Table [ij. 

As above, our approach is based on (|4.ip . Given a € G, we use exponentiation 
by a suitable E to remove small primes from |a^|, enabling an optimized baby-steps 
giant-steps search. When B — 1000, we use E = 2^^ ■ 3^^ • 5* • 7'', and compute 
P = a^. Assuming that |a| < B^, the integer A^ = |/?| is then relatively prime to 
the primorial P4 = 2 • 3 • 5 • 7 = 210. In general, we choose a primorial P = Pw and 
a positive integer m, so that 

m^P(p{P) > B^ 

where (p{P) is Euler's function. We compute rrnp{P) baby steps /3'' for each b E 
[1, mP] relatively prime to and a similar number of giant steps (3"^^°- for a from 
1 to ip{P). Since any integer N < B^ may be written in the form 

N — mPa — b, 

one of our baby steps must match one of our giant steps. In our example, we let 
m = 10 and use 480 baby steps followed by 477 giant steps. We require some 
additional group operations to compute /3 = and the values /3^, /J"*, . . . , 
needed to span the gaps between integers relatively prime to P4. The total is about 
half the 2000 group operations used in a standard baby-steps giant-steps search, and 
the space is similarly reduced. In general the improvement is a factor of y/P/ip{P), 
and for a suitable P, one obtains an asymptotic complexity of 0(B/v^IogIog~B)|j 

Applying optimized baby-step giant-step methods given constraints on is not 
new; this technique is often used in conjunction with €-adic methods, as in [41| . 
The novelty here is that the constraints are obtained generically. 

In the example above we could have used P5 rather than P4, and set to to 1. 
We intentionally use a slightly suboptimal value of P and a larger value of m to 



^This generalizes to an unbounded search for N = \a\ with complexity O ( \/ N/ log log N) | 57| . 
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facilitate a parallel implementation. Rather than a single sequence of baby steps, 
we use TO sequences, each spanning a range of P powers of (3 using (/^(P) group 
operations. We similarly use m suitably spaced sequences of ^p{P) giant steps. 

To incorporate the usual optimization for fast inverses, we double the spacing 
between giant steps. We now choose m and P = satisfying 

2w?P^p{P) > B^ 

and assume these values are precomputcd, along with the value E = W^^iP^* , 
where pi is the ith prime and p^^ < < pf'^^- 

We also precompute a wheel for the primorial P, a sequence r{n) with the prop- 
erty that 1 + r{j) gives the (n + l)st positive integer relatively prime to P, 
for n from 1 to ip{P). The wheel for P^ = 30 is the sequence (6,4,2,4,2,4,6,2). The 
value Tniax dcnotcs the largest element of the sequence r{n). To obtain greater 
flexibility in the choice of to, one can use P = tP^ and "roll" the wheel t times in 
Step 3 below. For simplicity we assume P = Pyj. 

Algorithm 4 (Primorial-Steps). Given a E G and a bound B, let m, P, E, 

r{n) be as above, and let B and Q be empty sets. On the condition \a\ < B^: 



1. Compute Po ^ and Si = Pq, for even i from 2 to Tmax- 
Compute Pi ^ P^Pi-i, for i from 1 to to — 1. Let /3 — (/3o, . . . ,Pm-i)- 

2. Compute 70 ^ /3o"^ and 60 — Jq- 

Compute 7i = 7Q''''^^7i_i, for i from 1 to to — 1. Let 7 = (70, . . . ,7m_i). 

3. Set <— 1 and for i from to to — 1, set iB ■*— B U (A, i, k). 

For j from 1 to (p{P) — 1: compute /? ^ PS^^j), set fc •*— fc + r{j), 
and for i from to m — 1, set B ^ B U {Pi, i, k). 

4. If z, k) G B, minimize N = Pi + k over such tuples and goto Step 6. 

5. Set fc ^ 0, then for i from to m — 1 set G ^ G ^ {ji, i, k). 
For k from 1 to v{P) — 1: compute 7 <— 7^0, 

and for i from to to — 1, set ^ U (7, . k) 

6. Find the least N = azkb corresponding to 7/3^^ = Ig, 

where a = 2mP{(p{P)ii + ki) and b = Pi2 + k2, 
for some (7, ii, fci) e G and (/?, 12, ^2) e B. 
If no such N exists, reject. 

7. Compute N' = \a^\ with exponent E and set A'' <- A'' A/"'. 
Output N = \a\. 

In a parallel search, the first match found doesn't necessarily give the order of 
Pq (we could find a multiple of \Po\), hence the minimization of N. In a standard 
implementation we don't explicitly construct the set G, rather we check for a match 
in B as each giant step is computed. This allows early termination when successful, 
provided we handle the case that iV is a multiple of \Po\. We can determine \Po\ 
using the (factored) exponent A'' before proceeding to Step 7. 

In the present application there is good reason to explicitly compute G and 
perform the matching process in Step 6, as shown. We expect the search to fail 
in most cases, so this doesn't materially impact the time. It doubles the space 
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required, but space is not a limiting factor and there are other ways to reduce it. 
The tuples in B and Q needn't store entire group elements (a small hash value 
suffices) and B may be chosen judiciously (see Table [5t 

The advantage of computing both B and G explicitly is that it allows matching 
to be performed more efficiently (it also enables greater parallelism). When the 
group operation is extremely fast, the implementation of the lookup table used in 
a baby-steps giant-steps search can have a significant impact on the running time. 
On our test platform, the fastest black boxes achieve execution times close to the 
latency of general memory access. If we defer matching until the end it can be done 
more quickly, with better locality of reference, as described in Section [5] 

4.1. Recovering the zeta function. Having computed #J(C), we need to de- 
termine the zeta function of C. This problem (and many others) is discussed in 
|17j . We provide explicit details here for the genus 2 and 3 cases and analyze the 
cost of determining the zeta function once # J(C) is known. 

Lemma 4. Let P{z) denote the L-polynomial of a non-singular, irreducible, pro- 
jective curve C of genus g < 3 defined over ¥g . For sufficiently large q, the values 
P(l) and P(— 1) uniquely determine the coefficients of P{z) = X]i=o'^»'^*- 

Proof. Recall that oq ~ 1 and a2g-i ~ q^^^Oi for < i < g (Theorem [TJ . If 
g < 2 then aj = [P(l) - P(-l)] /[2{q + 1)], and for 2 < 5 < 3, we find that 
a2 = [P{1) -f P{-1) - 2(p2 + 1)] /2. This proves the lemma for g<2. For 5 = 3, 

P(l)-P(-l) + 2a3 , 

= WTY) -^1 + ^1' 

where Ai is fixed and \5i\ < (3)17^^/^, by the bounds in (|3.2p . If g > 40^ then 
\Si\ < 1/2 and the integer ai is determined, fixing 03 as well. □ 

To determine P(-l), we compute #J2/i(C) = P(1)P(-1)/P(1) (Lemma H]). 
For hyperelliptic curves, we may equivalently compute #J(C) (Lemma [3]). In the 
non-hyperelliptic case we can compute in J2/i(C') via group operations in J2(C), 
using exponentiation by P(l) to obtain elements of J-yn fOF^ 

For simplicity, we assume C is hyperelliptic. In genus 2 we have 

P(l) - (g^ -H) - Q2 P(l) ~ (g^ + 1) 02 . ^ 

ai — = = At + Oi, 

q+1 q+l q+1 

where the bounds in (|3.2p imply \Si\ < (2). There are at most eleven possible 
values for the integer ai. The corresponding values P(— 1) = ^"(1) ~ 2{q -I- l)ai 
form an arithmetic sequence with difference 2(q -I- 1). To distinguish the correct 
P(— 1), we generate a random a G J{C) and step through the sequence, computing 
powers of a. If only one exponent of a is found then we have determined P(— 1) 
(usually the case). Otherwise we compute \a\ using a suitable exponent (e.g., the 
gcd of all exponents found). By repeating this process we determine A( J(C)) and, 
if necessary, apply Step 2 of Algorithm [1] to compute ffJ{C) = P(— 1). 



"'^'^In fact, explicit computation of B and Q enables searches that are effectively unlimited by 
RAM— they can be efficiently migrated to disk and matched via a merge or radix sort. 

^^If d = gcd(P(l), P(— 1)) > 1, we lose d-torsion elements of J2/i(C) when we do this, but the 
resulting subgroup will usually be large enough for our purposes. 
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We use a similar approach in genus 3, and assume q > 1640. We then have 

P(l)-(g-Vl)-(g + l)a2-a3 _ , , , 
q'' + I 

with < (2) + 1/2, giving 31 possibilities for ai. Given P(l) and ai, we find 
P(l) - (g^ + 1) - {q^ + l)ai - a3 , 

a2 = 7 — n ^ A2+ (32, 

(9 + 1) 

with |(52| < (g)^^/'^. The corresponding P(— 1) values are given by 

P(-l) = 2(q3 + 1) P(l) + 2(g + 1)02, 

and we now have 31 arithmetic sequences for P(— 1), each with a difference of 
2(17 + 1) and length less than AQq^/^. For a random a € J{C) we can search for 
exponents of a among all these sequences simultaneously using a baby-steps giant- 
steps search (but not a primorial-steps search). We compute roug hly A/l240gi/2 
consecutive powers of /3 = a^^'^"''^-' (baby steps), followed by a similar number of 
giant steps suitably spaced among the 31 sequences. This can be implemented using 
parallel group operations, as in Algorithm H) 

The total number of group operations is 0{q^^'^) in genus 3. In terms of the 
group size N « q^ , this is 0(A^^/"^^), with a leading constant factor of about 70. 
Given the heuristically subexponential time required to find #J(C), the 0(iV^/^^) 
term is asymptotically dominant, but for practical values of N this is not the case. 
Even for N as large as 2^^^, given ^J{C), the time to recover the zeta function is 
entirely tractable in genus 3 (perhaps a few minutes). 

With modification, this approach can be applied in higher genera, but the run- 
ning time becomes more significant. In genus 4 the complexity is 0{N^^^^) group 
operations, and in general the complexity is n(A^(9~i)(9~2)/(8g)-j Extensions to 
Kedlaya's algorithm [5l [30] compute the zeta function of a curve in 0{p^^^) time, 
giving an 0{N^^^'^^^) algorithm. This is slightly faster than our method in genus 4, 
and the advantage grows quickly in higher genera. 

5. Implementation 

We mention a few implementation details that may be relevant to those wishing 
to replicate our results. Our implementation platform was a 2.5GHz AMD Athlon 
64 processor (dual core) with 2GB of memory, running a 64-bit Linux operating 
system. We ran eight of these systems in parallel in the larger tests. The algorithms 
were implemented using the GNU C compiler |55| and the GMP multi-precision 
arithmetic library [29]. 

Black Boxes. The parallel group operation enabled by Algorithm[4]is most advan- 
tageous to a black box based on an affine representation of the Jacobian. We used 
modified versions of Algorithms 14.19-21 (genus 2) and Algorithms 14.52-53 (genus 
3) in [TT]. The black box executes several group operations up to the point where 
a field inversion is required, performs a single combined field inversion using Mont- 
gomery's trick [lOj, then completes the group operations. With this approach the 
amortized cost of a field inversion is 3 field multiplications (3M), and the effective 
cost of a group operation is then 28M in genus 2 and 74M in genus 3. 

The prime field arithmetic was implemented in C except for two in-line assembly 
directives, one to compute the 128-bit product of two 64-bit values and one to 
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perform a 128-bit addition. The field multiplications for the Mersenne primes 
2^^ — 1 and 2*^ — 1 were specifically optimized, but otherwise we used a Montgomery 
representation [31], and Montgomery inversion was used in all cases (see [TT] and 
[42] for algorithms) . Performance metrics appear in Table [1] 

Parallel exponentiation. Both asymptotically and in practice, the exponentia- 
tion performed in Step 1 of Algorithm [2] dominates the total running time. To 
obtain the performance improvements offered by parallel group operations, we ex- 
ponentiate in parallel for several curves defined over the same fieldo The exponent 
E does not change once B is chosen, so it should be precomputed and put into a 
convenient form (a 2'^-ary sliding representation was used in our tests). The ex- 
ponentiation takes more than twice as long as the search step, so it is convenient 
to have two threads performing exponentiations on a dual processor, feeding their 
results to a single search thread running in parallel. 

Choosing the bound B — 2"'/'". Given the comments above, we might search to 
a bound greater than , balancing the time between exponentiation and searching. 
The behavior of the semismooth probability function G{l/u,l/v) argues against 
this, as small changes in v have little impact. In fact, the optimal choice of v is 
slightly above 2/u, implying a bound less than B^, but the difference is negligible. 

The quantity 2"/"/f7(u) is insensitive to small changes in u close to the optimal 
value. We can choose a slightly smaller u without materially impacting the running 
time, obtaining a substantially smaller B = 2"/", which saves space. As seen in 
Table [31 one can reduce space by more than a factor of two while increasing the 
time by only 5%. 

Eliminating 2-torsion. One can efficiently filter a family of hyperelliptic curves 
of the form y'^ ~ f{x) to remove curves whose Jacobian has even order by testing 
whether f{x) is an irreducible polynomial in Fp[a;]. This is well worth doing if one 
is interested in the group J2/i(C) = J{C)j since #J(C) and J^{C) must have 
the same parity, but otherwise the situation is less clear. As shown in Table [H 
while the probability of finding groups with near-prime order generally increases 
when # J(C) is odd, the probability that # J(C) is B-easy goes down, more than 
offsetting the increase in many cases. Note that it is possible for any of the groups 
J4,/2{C), J^/i{C) and J3/i(C') to have prime order even when ^J{C) is even. 

Efficient matching. In the description of Algorithm [H the sets B and Q contain 
tuples {a,i,k)^ where a G G is a baby-step or a giant-step. It is not necessary to 
store a. It can be recovered using i and k by exponentiating (3q or 70, which are 
known to the algorithm. Asymptotically, a uniform hash value of lgi?(lglgi?)^''"'^ 
bits suffices to keep the cost of matching negligible. In practice, \gB is less than 
30, the values i and k require a total of Ig B bits, and we use a (64 — Ig i3)-bit hash 
value to make a 64-bit value for each tuple. This is about one third the size of a 
compressed group element. 

When using a fast inverse optimization, it is helpful if an element and its inverse 
hash to the same value. This allows detection of both the cases 7/? — Ig and 
7/J~^ = Ig, without requiring extra table entries. To localize memory access, a 
merge sort or (better) a radix sort may be used to find matches 5.2.4-5]. We 
used a partial radix sort with a radix of 2^ or 2^°. 



'For families of curves where the field varies, one might include 100 curves per field. 
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6. Examples 

For ease of illustration, we use parameterized families of curves with small co- 
efficients. This choice is arbitrary, as is the choice of finite field. In practice, one 
might choose a family of curves whose coefficients admit a particularly efficient 
implementation, as suggested by Bernstein |4j. 

Genus 3 examples. We use the family of hyperelliptic curves defined by 

:^x'^ + ix^ + x'^ + Ax^ + + bx + t 

over the prime field Fp, with p = 2^° — 27. As we are interested in groups J{C) with 
near-prime order, we don't try to compute ^J{C) directly. Instead, we attempt 
to compute ^J{C) for each curve in our family, using Algorithm 1 (with random 
coefficients, twisting is unnecessary). When successful, we apply the method de- 
scribed in Section WA\ to recover the L-polynomial of C using P(l) = ifJ{C). We 
then compute #J(C) = P(-l) = P(l). 

Given the bound B, Algorithm 1 succeeds if ^J{C) is B-easy (Definition [T]). To 
choose B, we make the heuristic assumption that ^J(C) is a random n-bit integer, 
where n = lg#J(C') ~ 150. We pick u to minimize 2"/"/a-(w) and set B — 2"/". 
For n = 150, we choose u = 6.25 and find cr(u) w 1/1765. (Table [S]). 

Algorithm 1 uses 5/ log 2 -I- o(i?) group operations, about 36 million in this case 
(Table S]). The genus 3 black box performs roughly 1.8 million group operations 
per second (Table [1]), and the CPU time per curve is about 20 seconds on a 2.5 
GHz AMD Athlon-64. This chip has two processors, so on a single PC we test a 
curve every 10 seconds. We achieve our first success when t = 648 and find 

#J(C) = 2^ • 5^ • 233 • 937 • 8053 • 18719 • 44171 • 1180799 • 13517389 • 307558308259. 

Given #J(C), it takes only 300,000 group operations (0.2 seconds) to determine 
the zeta function of C, whose L-polynomial P{z) has coefficients 

ai = 39141148, as = 1354965780525799, = 18939879984661962930696. 

We then compute 

#J(C) = P{1) = 2=^ • 3 • 1083611 • 54880077749424473770842486727458448993. 

This value isn't quite near prime, but it could have been; see Section [6] for a prime 
example. The average time required to successfully compute ^J{C) for some curve 
in our family is about four hours on a single PC, somewhat better than <j{u) would 
suggest (we generally find our heuristic assumption pessimistic). The memory 
requirements are modest, about 200MB in this case, and in our largest tests, about 
1GB. Memory usage can be substantially reduced with a small (< 5%) impact on 
performance (see Table IS)) We optimized for time. 

We tested similar families of curves with p — 3 ■ 10^^ -I- 29 (164-bit group size) 
and p — 2^^ — 1 (183-bit group size). Sample results are given in Tabled In the 
first case it took about a day per success on a single PC, and in the second, slightly 
over four days. We used eight PCs, succeeding roughly twice a day in the larger 
test. Distributed computation not only increases the throughput, it gives a linear 
speedup in the time to achieve the first success for up to 0{l/a{u)) processors. 
After an initial partitioning of the family of curves, no communication is required, 
making a distributed implementation straightforward. 



'By Proposition |3] the space can be made 0(lg^ #J(C)), but with a larger impact on time. 
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It is entirely feasible to find cryptographically suitable genus 3 Jacobians using 
this approach. However, the genus 2 case is more attractive, as we can find groups 
offering better security in much less time. 

Genus 2 curves (1). We first consider the family of curves defined by 

2/2 = + 2x^ + 7x'^ + x + t 

over the prime field Fp with p = 2^^ — 1. We don't twist our initial family of 
curves, as we are not interested in the group J2/i{C) = J{C), but rather the other 
three groups listed in (12.211 . In this case n — Ig #J(C) « 122 and we let u = 5.8, 
obtaining B = 2"/" « 2^1 and a{u) « 1/549. 

Algorithm 1 now uses about 4.6 million group operations per curve and the 
black box performs over 4 million group operations per second. The CPU time per 
curve is under 1.1 seconds, so we test about two curves per second and expect to 
successfully compute ^ J(C) roughly every five minutes on a single PC. 

For each value of =ffJ{C), we recover P{z) and, applying Lemma[l] compute 

#J3/i(C)=FHF(c.2), 

#Ja/2{C) = P{i)P{-i), 

where lo = g27ri/3^ j£ these are near prime, we may have found a crypto- 

graphically suitable group0 The first case where we succeed in computing # J(C) 
occurs when t — 816, and we find that the P{z) has coefficients ai — 618350030 
and 02 = 415833882783789026. The most interesting value is 

#J3/i(C) = P{lo)P{~u) = 52 . 547 • P231, 

where P231 is a 231-bit prime. In this case J3/i(C) is equal to the trace zero variety 
T3(C). Even after taking Proposition [1] into account, which reduces the effective 
security of Jacobians over extension fields, this is well into cryptographic range. 
The next interesting case occurs on our fifth success, when t ~ 3909. We find 

#J4/2(C) = PWPH) - 412 . P234. 

This is the order of J2(C2) where C2 is the quadratic twist of C in Fp2. This curve 
may be written as 

= x^ + 2o?x^ + 7a^x^ + a^x + 3909a^ 

where a is any non-residue in Fp2 . On our eleventh successful computation, when 
t = 6005, we find 

#J3/i(C) = P(-C^)P(-C^2) ^ 4 . p^^^^ 

giving a group with security comparable to a 194-bit genus 2 Jacobian of prime 
order over a prime field. 

The total time to reach this point is about 50 minutes, a typical scenario. If 
we are willing to wait a bit longer, we can find many groups with prime order, 
including cases where both #J3/i(C) and #J3/i((7) are prime (Table [5|). On a 
64-bit platform, computation in either J2{C) or a trace zero variety T^{C) with 
p = 2^^ — 1 will likely be faster than in a Jacobian over a larger prime field with 
comparable security. 



In this example # J4/2('^) is not quite large enough. We include it for the sake of illustration. 
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Genus 2 curves (2). We tested genus 2 curves over three larger fields. In the 
first test we used the family of curves defined by 

= x'^ + X + t 

over the prime field Fp, with p — 2^** — 35. For u ~ 6.5 it takes about 34 hours per 
success on a smg le PC with # J(C) « 2^^^. We computed the order of 43 Jacobians, 
finding 11 groups with near- prime order, including: 

(1) The Jacobian of the curve = + x + 127861 over Fp has near-prime 
order, with a 160-bit prime factor and a cofactor of 288. 

(2) The trace zero variety of the curve y^ = + a; + 89993 over Fp3 has 336-bit 
prime order. 

Our second test used the same family of curves with p = 2^^ — 1. With u = 6.7 
it takes about 4 days per success per PC with :^J[C) ~ 2^^^. We computed the 
order of 31 Jacobians, again finding 11 groups with near-prime order, including: 

(1) The Jacobian of the curve = -f x -f 202214 over Fp has near-prime 
order, with a 171-bit prime factor and a cofactor of 180. 

(2) The Jacobian of the curve = a;^-|-Q;^a;+207686a^ over Fp2 has near-prime 
order, with a 349-bit prime factor and a cofactor of 169. 

(3) The trace zero variety of the curve y"^ — x^ -{^ %lx + 15466464 over Fp3 has 
near-prime order, with a 354-bit prime and a cofactor of 7. 

Our largest test used p = 2^^ — 25. We computed the order of a 186-bit Jacobian, 
finding a 372-bit trace zero variety of near-prime order for the curve 

y^ = x^ + 2x^ + 3x^ + 5x + 1050. 

See Table [5] for the zcta functions of all the curves mentioned above. 

7. Conclusion 

For general families of genus 2 and genus 3 curves, efficiently finding crypto- 
graphically suitable Jacobians over prime fields remains a challenge. Our method 
substantially increases the size of Jacobians whose order can be effectively com- 
puted, and is feasible at the low end of the cryptographic range. In a distributed 
implementation, 200-bit group sizes are within reach. As our algorithm does not 
use £-adic or p-adic methods, a combined approach may offer further improvement. 

Given a family of genus 2 curves defined over a prime field, we can find crypto- 
graphically suitable groups over low degree extension fields efficiently on a single 
PC. Groups offering security comparable to 200-bit genus 2 Jacobians over prime 
fields are easily obtained (about an hour), and the time required to achieve 250-bit 
security levels is not unreasonable (a day or two). Trace zero varieties, in particular, 
appear to offer an attractive combination of performance and security. 

8. Acknowledgments 

The author would like to thank Kiran Kedlaya for suggesting the problem of 
point-counting on hyperelliptic curves and helpful feedback on early drafts of this 
paper. Thanks are also due to Rene Peralta for providing a program to compute 
the semismooth probability function, G{a,0). 



A GENERIC APPROACH TO SEARCHING FOR JACOBIANS 



17 



Black Box 


Wp\ 




lg|G| 


xl 


xlOO 


E 


S 


Genus 2 


250 _ 


27 


100 


1.49 


4.26 


4.07 


3.42 




261 _ 


1 


122 


1.35 


4.81 


4.76 


3.82 




284 „ 


35 


168 


0.66 


1.85 


1.78 


1.68 




289 _ 


1 


178 


0.67 


2.11 


2.01 


1.87 




294 _ 


3 


188 


0.62 


1.83 


1.76 


1.63 


Genus 3 


13"- 


f 34 


122 


1.12 


1.84 


1.86 


1.62 




250 _ 


27 


150 


1.02 


1.83 


1.85 


1.67 




3 • 10 


16 + 29 


164 


0.98 


1.83 


1.85 


1.67 




261 _ 


1 


183 


0.92 


1.83 


1.85 


1.68 



Table 1 . Black Box Performance for Prime Fields 

The last four columns list average performance in millions of group operations per second. 
The column "xl" indicates operations performed singly and "xlOO" indicates operations 
performed in batches of 100. These figures are for random additions; doubling is « 5% 
slower in genus 2 and ~ 2% faster in Genus 3. All values are for single-threaded execution. 

The columns E and S show the throughput of the exponentiation (E) and primorial-steps 
search (S) performed by Algorithm [2] Values were obtained by dividing the elapsed time 
of a single thread (including all overhead) by the number of group operations. 
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Table 2. Jacobian Order Distributions in Genus 2 (percent) 

The event A occurs when #J{C) ^ 2" is 2"/"-easy (Definition [T|. The event Ba/t occurs 
when #Ja/b{C) contains a prime factor at least 95% the size of il=Ja/b{C). For a random 
integer, the probability of this event is ~ log(20/19) ~ 5.1%. 

Each row refiects a dataset of 10^ Jacobians, with the bottom datasets containing only 
Jacobians with odd order (no 2-torsion) . The datasets for n = 48 used curves with random 
coefficients over a field Fp with the prime p £ [2^^ - 2^^ ,2^^ + 2^^] chosen at random. The 
datasets for n = 100 used a fixed prime p — 2^" — 27 with either random curve coefficients 
(first entry), or the parameterized family y"^ = + 2x^ + -\- x + t (second entry). 



18 



ANDREW V. SUTHERLAND 



n 


w 


u 


l/a{u) 


B 


E 


b 


bj + b 


{E + S)/a(uj 


165 


100 


5 


5.38 


195 


.39 


.60 


.25 


.85 


1.7 X 10^ 


4 


110 


5 


5.57 


309 


.88 


1.3 


.57 


1.9 


5.9 X 10^ 


9 


120 


5 


5.75 


484 


1.9 


2.9 


1.2 


4.1 


2.0 X 10'^ 


20 


130 


6 


5.92 


745 


4.1 


6.3 


2.5 


8.7 


6.5 X 10"^ 


40 


140 


6 


6.01 


936 


10 


16 


6.4 


22 


2.0 X 10'' 


102 


150 


6 


6.25 


1765 


17 


25 


10 


36 


6.3 X 10* 


166 


160 


6 


6.40 


2640 


34 


50 


21 


71 


1.9 X 10^ 


333 


170 


7 


6.55 


3972 


65 


97 


39 


136 


5.4 X 10^ 


625 


180 


7 


6.70 


6012 


122 


183 


74 


256 


1.5 X 10^ 


1176 


190 


7 


6.84 


8897 


230 


344 


138 


482 


4.3 X 10^ 


2212 


200 


7 


7.01 


14355 


388 


579 


233 


812 


1.2 X 10^ 


3728 


180 


6 


7.01 


14355 


54 


80 


33 


114 


1.6 X 10^ 


532 


190 


7 


7.14 


20943 


102 


153 


62 


215 


4.5 X 10^ 


985 


200 


7 


7.27 


30553 


191 


286 


115 


401 


1.2 X 10^ 


1838 



Table 3. Search Parameter Estimates (millions) 

The value n is an estimate of Ig #J(C), w indicates the primorial in Algorithm [J] 
and the parameter u minimizes {E + S)/a{u), where a"(w) = G(1/m, 2/u) estimates the 
probability that a random integer A'' « 2" is _B-easy. The value B = 2"''" is listed in 
millions, as are the remaining five columns. 

The values E — B/ log 2 and S — y^2Pw/f{Pw)B estimate the group operations required 
for exponentiation (E) and a primorial-steps search (S) with parameter B. Their sum 
approximates the group operations used by Algorithm 1 in an unsuccessful attempt to 
compute #J(C), and {E + S)/a{u) is a heuristic estimate of the average number of group 
operations required per successful computation of ^J{C). 

The last column estimates the memory used by Algorithm 2] assuming both sets B and 
Q are explicitly computed, using 64 bits per tuple (see Section [5]). The last three rows 
show the impact of increasing u to reduce space. If only B is stored, the figures in the last 
column should be divided by 2. 



Genus 


n 


u 


l/r 




E + S 




{E + S)/r 




2 


100 


5.38 


172 


(-12%) 


.87 


(+2%) 


1.5 X 10^ 


(-10%) 


2 


122 


5.80 


483 


(-12%) 


4.7 


{+2%) 


2.3 X 10^ 


(-11%) 


3 


122 


5.80 


435 


(-21%) 


4.8 


(+3%) 


2.1 X 10^ 


(-18%) 


3 


150 


6.25 


1587 


(-20%) 


36 


(+1%) 


5.7 X 10^ 


(-8%) 


2 


168 


6.50 


3448 


(-0%) 


129 


(+2%) 


4.5 X 10^ 


(+2%) 


2 


178 


6.70 


5263 


(-12%) 


213 


(+2%) 


1.1 X 10^ 


(-10%) 



Table 4. Actuals vs. Estimates (millions) 

The value r is the actual success rate achieved. The first three tests used 10® curves, while 
the last three used 10^. Deviations from estimates are shown in parentheses. 
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C : y"^ ^x^ ^-x^ 456579, p = 2^1 - 

ai = 867588246, = 503655589160075568 
#'^3/i(C) and #J3/i(C') are 244-bit primes, #J2(C) not divisible by 3. 


- 1 


C : y"^ =x'^ +X+ 127861, p = 2^4 - 

ai = -2092369310828, as = 35830907425009491385101310 
# J(C) = 2^ • 32 • 1299112566516217620665269205633002367450315129777 


35 


C : = 3,5 + 2- + 89993^ p ^ 2^'^ - 

ai = 1236014582768, as = -20956811918028115290034218 
#J3/i(C) is a 336-bit prime, #J2(C') not divisible by 3. 


35 


C : a;^ + x + 202214, p = 2^^ - 1 

ai = -52033004229306, 02 = 1618004552234213280766854490 
#J(C) = 22 • 32 • 5 • 2128466028980222265110760419187916380742710181533203 


C : y2 ^ a;5 -f a; -f 207686, p = 2^9 - 

ai = 37333142265075, 03 = 1342175488412716989278850463 
#J(C2) = 132 • P349 where P349 is a 349-bit prime. 


- 1 


C : y'^ =x^ +Ux+ 15466464, p = 2^^ - 

ai = -29105979141185, 02 = 216189507687913446441772723 
#J3/i(C) = 7 • P354, where P354 is a 354-bit prime, #J2(C) not divisible by 3. 


- 1 


C : y"^ ^x^ ^2x^ + 3x2 + 53, + 1050, p = 2^3 - 

ai = 20868893099084, 02 = 14008940235908131442826126566 
#J3/i(C) = 7 • 313 • P361, where P361 is a 361-bit prime, #J2(C) divisible by 3 
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Table 5. Genus 2 Examples 
The curve C2 is the quadratic twist of C over Fp2 . 



C: y2 


^ x'^ + 2,x^ + x'^ + Ax^ + x'^ + bx + ^b\i^b, p = 


: 2^° - 27 


ai 


= 13792821, a2 = 98748931364073, 




03 


= -4912096020329124903571 




#J(C) 


= 1427247710190335132030763894493884791800228867 




C: y2 


= x'^ + 28a;3 + 1 8x2 + 27x -1- 69621, p = 3- 


10^6 + 29 


fli 


= -200710015, 02 = 49691549823351179, 




aa 


= -9387711520293250802133155 




#J(C) 


= 52 • 373 • 2895442339877862336809237112865944284512053683 




C:2/2 = 


= + 3x5 + + 4x3 + + 5x 84538, p : 


= 261-1 


ai 


= -255251897, a2 = 3731171990845206887, 




as 


= -1915761422452218541377951998 




#J{C) 


= 2^ • 35 • 17 • 223 • 831781325652289358544190241299568732364985371373 



Table 6. Genus 3 Examples 
See |http : / /math . mit . edu/~drew7"l for additional examples and verification details. 
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